CVS Problems

by Noel Davis
01/27/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Concurrent Versions System (CVS), DHCP, slocate, Vim, Linux printer drivers, susehelp, fnord, mpg123, Astaro Security Linux firewall, and phpLinks.

• Concurrent Versions System
• Vim (Vi Improved)
• DHCP
• slocate
• Linux Printer Driver Vulnerabilities
• susehelp
• fnord
• mpg123
• Astaro Security Linux firewall
• phpLinks

Concurrent Versions System

Concurrent Versions System, or CVS, is a very popular source code version control system that is released as open source. CVS is vulnerable to a double-free-based attack that can be exploited to execute arbitrary code on the server with the permissions of the user running CVS (some installations may run the CVS server as root). In addition, this vulnerability can be used by an anonymous read-only CVS user to commit changes to the CVS tree.

Users should upgrade to CVS version 1.5 as soon as possible, and should consider disabling CVS until it has been upgraded. It is also recommended that CVS be set up to run chrooted and that users connect using SSH and not the pserver.

Vim (Vi Improved)

The Vim editor has a vulnerability that can be used to execute arbitrary commands via modelines' libcall feature. Versions 6.0 and 6.1 of Vim are reported to be affected. An attacker can create a file that contains lines that will be executed when the file is edited with Vim. Users who read email messages or log files using Vim should exercise special care.

It is recommended that users upgrade to a repaired version as soon as possible. Adding the line "set modelines=0" to .vimrc will disable the processing of the modlines. Users should consider leaving modlines disabled after upgrading Vim.

DHCP

Problems have been reported in the Internet Software Consortium's DHCP server.

dhcp's code that handles dynamic DNS requests contains buffer overflows that can be exploited to gain access to the server when dynamic DNS is enabled.

The dhcp3 server is vulnerable to buffer overflows in error functions in the minires library that can be exploited by a remote attacker to execute code with the permission of the user running dhcp3 (normally root).

It is recommended that users watch their vendor for updated packages. The problem with dynamic DNS can be worked around by disabling dynamic DNS and restarting the dhcp server.

Related Reading Practical UNIX and Internet Security By Simson Garfinkel, Gene Spafford, Alan Schwartz

slocate

slocate, an application used to index and find files, has a buffer overflow that can be exploited by local attackers to execute arbitrary code with increased privileges when slocate has been installed with set user id or set group id bits set. A script to automate the exploitation of sclocate is reported to have been written, and may have been distributed.

Users should upgrade to version 2.7 or newer of slocate as soon as possible. If it is not possible to upgrade or if slocate is not being used on the system, users should consider removing or disabling it.

Linux Printer Driver Vulnerabilities

Vulnerabilities have been reported in the Linux printer drivers mtink, escputil, and ml85p. mtink is vulnerable due to a buffer overflow in the code that handles the HOME environmental variable. escputil has a buffer overflow in the code that processes the --printer-name command line argument (this vulnerability is only exploitable when the driver is installed set user id or set group id). ml85p is vulnerable to a temporary file, symbolic-link race condition but is only executable by root or the sys group. m185p's vulnerability may be exploited to gain root permissions when an attacker has gained sys permissions by exploiting another vulnerability.

Users should watch their vendor for an update package that repairs these vulnerabilities.

susehelp

SuSE's susehelp CGI scripts are vulnerable to attacks that can be used to execute arbitrary code with the permissions of the wwwrun user. Systems that are not running a web server or have susehelp configured so that it does not allow access by remote systems are not vulnerable.

SuSE recommends that users upgrade the susehelp packages. Users who do not use susehelp should consider removing or disabling the package.

fnord

fnord, a small web server, has a buffer overflow that is reported to not be exploitable.

The buffer overflow is repaired in version 1.7 of fnord and it is recommended that users upgrade.

mpg123

mpg123 is a command-line-based MPG music player. It is reported to be vulnerable to a buffer overflow that can be exploited, under some conditions, to execute arbitrary code. This vulnerability is reported to only affect versions after 0.59r and any CVS versions downloaded after Oct. 25th, 2000.

Affected users should downgrade to version 0.59r until the current source for mpg123 has been patched to repair this problem.

Astaro Security Linux Firewall

The Astaro Security Linux firewall's web proxy has a vulnerability that can be used to connect to hosts using the firewall as a relay. Examples of how this can be abused include: sending spam, connecting to unauthorized hosts protected by the firewall, and scanning a network.

Users should install patch 3.215 and then manually restrict the ports that the proxy server is allowed to connect to or deny ports to which the server should not connect.

phpLinks

phpLinks, an open source Web-based link management system, has a problem with the include/add.php script that can be used by a remote attacker to inject code that when viewed by the administrator will execute.

It is recommended that JavaScript be turned off in the administrators browser prior to using phpLinks and that users watch for an updated version that fixes this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

---

Read more Security Alerts columns.

Return to the Linux DevCenter.